b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       Actions Are Needed to Improve the\n                      Effectiveness of the Physical Security\n                                    Program\n\n\n\n                                          March 13, 2008\n\n                              Reference Number: 2008-20-077\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 13, 2008\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Actions Are Needed to Improve the Effectiveness\n                             of the Physical Security Program (Audit # 200720030)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service (IRS) has an effective program for managing physical security at its facilities. This\n review was included in the Treasury Inspector General for Tax Administration Fiscal Year 2008\n Annual Audit Plan and was part of the Information Systems Programs business unit\xe2\x80\x99s statutory\n requirements to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS has an obligation to protect the Federal Government tax administration system, which\n includes employees, tax return information, and equipment. Although the IRS has established a\n means to regularly review physical security controls, management has not ensured that all\n physical security reviews were completed as required. As a result, potential security risks at\n various IRS facilities may not be identified and mitigated in a timely manner.\n\n Synopsis\n The IRS has developed physical security controls for protecting its employees and taxpayer\n information. These controls are effective for identifying risks, assessing compliance with\n controls, correcting weaknesses when identified, and reporting incidents.\n Risk assessments and compliance reviews are the primary tools used by the IRS to evaluate the\n adequacy of physical security controls. However, some risk assessments and compliance\n reviews have not been completed as required. As of October 25, 2007, IRS employees in the\n Physical Security and Emergency Preparedness office within the Agency-Wide Shared Services\n\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\norganization still needed to complete 328 (65 percent) of the 508 required risk assessments and\n293 (68 percent) of the 432 required compliance reviews.\nIn addition, the Physical Security and Emergency Preparedness office had not maintained\nsufficient information to evaluate the overall IRS physical security program. Records of physical\nsecurity reviews were not properly maintained and, in some instances, records of these reviews\nwere either lost or misplaced. Also, reports used to monitor completion of the reviews were\nincomplete, and annual summary reports did not contain cumulative results or statistics to\nmeasure accomplishment. Due to these program weaknesses, the IRS cannot provide adequate\nassurance that the necessary controls are in place to protect employees, facilities, and sensitive\ntaxpayer information. During this review, the Physical Security and Emergency Preparedness\noffice made progress in developing controls to better monitor the IRS physical security program.\nOverall, the Physical Security and Emergency Preparedness office has been effective at\ncorrecting physical security vulnerabilities identified during the risk assessment process.\nHowever, due to limited funding, not all vulnerabilities identified could be corrected.\nManagement has taken appropriate steps to prioritize the necessary corrective actions and fund\nthem as the budget allows. Management has also taken sufficient corrective actions on\nindividual physical security incidents reported to the IRS Computer Security Incident Response\nCenter through the Situation Awareness and Management Center.\n\nRecommendations\nTo meet the requirements for conducting risk assessments and compliance reviews, we\nrecommended that the Chief, Agency-Wide Shared Services, continue to increase monitoring of\nphysical security activities and analyze current processes and work products. This analysis\nshould focus on identifying methods for completing risk assessments and compliance reviews\nmore efficiently. To better evaluate the IRS physical security program, we recommended that\nthe Chief, Agency-Wide Shared Services, require the Physical Security and Emergency\nPreparedness office to maintain all required records of physical security reviews and to develop\naccurate, up-to-date management information with which to better evaluate the IRS physical\nsecurity program.\n\nResponse\nManagement agreed with our recommendations. The Director, Physical Security and Emergency\nPreparedness, will increase monthly monitoring and analysis of physical security activities,\npursue methods to streamline the risk assessment and compliance review process, and issue\nguidance requiring employees to forward completed and approved physical security review\nreports to the Physical Security and Emergency Preparedness Program Office within 30 days of\nmanagement approval. The Director will elevate to management a list of overdue risk\n\n                                                                                                   2\n\x0c              Actions Are Needed to Improve the Effectiveness of the Physical\n                                     Security Program\n\n\n\nassessments and compliance reviews. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                             3\n\x0c                     Actions Are Needed to Improve the Effectiveness of the Physical\n                                            Security Program\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Management Has Developed a Process for Evaluating Physical\n          Security .........................................................................................................Page 3\n                    Recommendations 1 and 2: ................................................Page 6\n\n          Vulnerabilities Identified During Physical Security Reviews Are\n          Properly Prioritized.......................................................................................Page 6\n          Reported Security Incidents Have Been Sufficiently Addressed .................Page 7\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 12\n\x0c       Actions Are Needed to Improve the Effectiveness of the Physical\n                              Security Program\n\n\n\n\n                       Abbreviations\n\nIRS              Internal Revenue Service\nPSEP             Physical Security and Emergency Preparedness\n\x0c                 Actions Are Needed to Improve the Effectiveness of the Physical\n                                        Security Program\n\n\n\n\n                                          Background\n\nThe Internal Revenue Service (IRS) has an obligation to protect the Federal Government tax\nadministration system, which includes employees, tax return information, and equipment. To\nmeet this obligation, it has developed and documented physical security controls for protecting\nover 680 IRS facilities. Examples of physical security controls include perimeter fencing,\nsurveillance cameras, security guards, and locked entryways.\nThe terrorist attacks of September 11, 2001, increased security awareness and brought a shift in\nthe assessment of risks and vulnerabilities. The Treasury Inspector General for Tax\nAdministration has performed two physical security reviews since September 11, 2001.1 Both\nreviews outlined a number of security weaknesses and concerns. Recently, the Government\nAccountability Office recommended additional testing and monitoring of security alarms to\nincrease the functionality of the systems.2\nAn organization as large as the IRS must have an effective physical security program that\nvigorously assesses risk, monitors compliance with controls, corrects weaknesses when they are\nidentified, and reports and investigates incidents promptly. Physical security program\nresponsibilities within the IRS were historically part of the Real Estate and Facilities\nManagement Office in the Agency-Wide Shared Services organization. In Fiscal Year 2004,\nresponsibility for physical security was moved to the Emergency Management and Physical\nSecurity Division in the Mission Assurance and Security Services organization. This effort was\nto bring together previously separate security functions and enable a consistent, unified approach\nto physical and information security. On July 8, 2007, the IRS dissolved the Mission Assurance\nand Security Services organization and transferred responsibility for managing physical security\nto the Physical Security and Emergency Preparedness (PSEP) office in the Agency-Wide Shared\nServices organization.\nThis review focused on management of the IRS\xe2\x80\x99 physical security program. We performed the\nreview at the offices of the Chief, Agency-Wide Shared Services, and Chief, Cybersecurity, in\nWashington, D.C., during the period April through October 2007. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\n\n\n1\n  Physical Security Can Be Improved to Maximize Protection Against Unauthorized Access and Questionable Mail\n(Reference Number 2003-20-004, dated October 2002) and Taxpayer Remittances Were Generally Safeguarded\nWithin the Cincinnati Submission Processing Site; However, Perimeter Security Needs Improvement (Reference\nNumber 2004-30-183, dated September 2004).\n2\n  GAO Management Report: Improvements Needed in IRS\xe2\x80\x99s Internal Controls (GAO-06-543R, dated May 2006).\n                                                                                                      Page 1\n\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                          Page 2\n\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\n\n                                 Results of Review\n\nThe process used by the PSEP office is generally effective for identifying risks, assessing\ncompliance with controls, correcting weaknesses when identified, and reporting incidents.\nHowever, we did identify issues that need to be addressed to enable the IRS to provide more\nassurance that employees and sensitive taxpayer data are properly protected.\n\nManagement Has Developed a Process for Evaluating Physical\nSecurity\nAn effective physical security program requires that security controls be monitored regularly.\nThe PSEP office should consistently ensure that the controls in place comply with existing\nguidance, align with evolving technologies, support the agency\xe2\x80\x99s mission, and accomplish their\nintended purpose. Risk assessments and compliance reviews are the primary tools used by the\nPSEP office to evaluate the adequacy of physical security controls in the IRS.\nRisk assessments identify internal and external threats. They follow a quantitative process to\ndetermine which risks are acceptable or unacceptable. Compliance reviews assess the\nimplementation of security program standards and requirements. The PSEP office should\nrecommend the appropriate controls to reduce risk to an acceptable level.\nWe selected a judgmental sample of 50 IRS facilities to evaluate the adequacy of physical\nsecurity reviews conducted for these facilities. At the time of our review, risk assessments were\navailable for 47 of the 50 facilities and compliance reviews were available for 33 of the\n50 facilities. Because the remaining 3 risk assessments and 17 compliance reviews could not be\nlocated, we assumed they had not been conducted.\nGenerally, the 80 physical security reviews we analyzed were complete and conformed to IRS\npolicies and procedures. The risk assessments and compliance reviews were conducted using a\nstandardized form to assist the reviewers in covering all security aspects required in a facility\xe2\x80\x99s\nevaluation.\n\nMore management involvement is needed to enhance the review process\nWhile the risk assessments and compliance reviews we evaluated were complete, the reviews\nwere not being completed in a timely manner, and sufficient information was not being\nmaintained by management to assess the process.\n\n\n\n\n                                                                                              Page 3\n\x0c                  Actions Are Needed to Improve the Effectiveness of the Physical\n                                         Security Program\n\n\n\nIn October 2006, the Department of the Treasury increased the requirements for conducting risk\nassessments for certain large facilities from every 3 years or 4 years to every 2 years.3 Figure 1\ndepicts the required frequency of both risk assessments and compliance reviews.\n                Figure 1: Frequency of Required Physical Security Reviews\n\n        Building          Number of Employees or                 Frequency of             Frequency of\n     Security Level            Criticality                     Risk Assessments         Compliance Reviews\n    Level I              10 or Fewer Employees                Every 4 Years             Every 3 Years\n    Level II             11 - 150 Employees                   Every 4 Years             Every 3 Years\n    Level III            151 - 450 Employees                  Every 3 Years             Every 3 Years\n    Level IV             451 or More Employees                Every 2 Years             Every 2 or 3 Years4\n    Level V              National Security Critical           Every 2 Years             Every 2 Years\n                         Infrastructure Assets\nSource: Department of the Treasury and IRS security requirements.\n\nThe PSEP office is experiencing delays in conducting required physical security reviews at\nIRS facilities. To meet the new requirements, the PSEP office needed to complete 508 risk\nassessments and 432 compliance reviews during the period January 1 through\nDecember 31, 2007. As of October 25, 2007, the PSEP office still needed to complete\n328 (65 percent) of the 508 risk assessments and 293 (68 percent) of the 432 compliance\nreviews. It is unlikely that all necessary security reviews will be completed according to the\nrequired schedule.\nTo address the backlog in conducting security reviews and determine the amount of time staff\nexpended on physical security activities, the PSEP office requested that a workload analysis be\nperformed. The analysis, conducted in March 2007, was based on the average physical security\nworkload for 1 year. It provided useful information by identifying the time required to conduct a\nrisk assessment and a compliance review and the number of employees needed to carry out the\nresponsibilities of the program, considering the change in requirements. Management also\nrequested that all PSEP office employees start tracking their time for various tasks beginning in\nFiscal Year 2008.\nThese are positive steps that may help management determine the proper staffing level for the\nPSEP office. However, before the PSEP office requests more staff, we believe actions should be\ntaken to evaluate the efficiency of the security review process. For example, risk assessments\n\n\n3\n  Department of the Treasury Security Manual, TDP 15-71, dated October 10, 2006.\n4\n  Compliance reviews should be conducted at least every 3 years for all Level IV IRS facilities. Compliance\nreviews for Level IV Processing Centers should be conducted every 2 years.\n                                                                                                              Page 4\n\x0c\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\noutlining program improvements recently implemented. The PSEP office is now preparing\nmonthly status reports showing the percentages of required security reviews that have been\ncompleted. In addition, it now provides quarterly statistics for Business Performance Reviews to\nthe Deputy Commissioner for Operations Support.\nThe PSEP office is also working to develop a comprehensive performance metrics database to be\ndeployed in Fiscal Year 2008. This database will allow employees to directly load progress data\nabout the completion of risk assessments and compliance reviews for monthly rollup reporting.\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 1: Continue to increase monitoring of physical security activities,\nspecifically the time expended on compliance reviews and risk assessments, and analyze the\ncurrent processes and work products. This analysis should focus on identifying methods for\ncompleting risk assessments and compliance reviews more efficiently.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Director, PSEP, will increase monthly monitoring and analysis to ensure elevation to\n       management of each risk assessment and compliance review that is scheduled and has not\n       been performed. Software will be upgraded to assist security analysts with performing\n       both reviews and ensure that all report requirements are current.\nRecommendation 2: Require the PSEP office to maintain all required records of physical\nsecurity reviews and to develop accurate, up-to-date management information with which to\nbetter evaluate the IRS physical security program.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Director, PSEP, will issue guidance to all PSEP office employees directing them to\n       forward all completed and approved risk assessment and compliance review reports to the\n       PSEP Program Office within 30 days of management approval. The Director will\n       increase monitoring to ensure that monthly reporting of overdue and currently scheduled\n       reviews is site specific.\n\nVulnerabilities Identified During Physical Security Reviews Are\nProperly Prioritized\nAlthough the PSEP office has identified corrective actions to address all physical security\nvulnerabilities identified during risk assessments, it has not implemented many because of\nlimited funding. The PSEP office has taken appropriate steps to prioritize the necessary\ncorrective actions and fund them as the budget allows.\n\n\n                                                                                              Page 6\n\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\nThe PSEP office prepared a Master Fiscal Year 2007 Prioritized Proposed Security Project\nListing showing all corrective actions and projected costs. According to the Master Listing, the\nprojected costs of the 119 vulnerabilities that need funding totaled $3,750,000. The PSEP office\nreported that it is unable to fund corrective actions totaling more than $1,000,000 for 31 (26\npercent) of the 119 security vulnerabilities.\nHowever, several of the unfunded items are upgrades of existing equipment, such as access card\nreaders that are scheduled to be replaced in the near future as a result of Homeland Security\nPolicy Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal\nEmployees and Contractors. This Directive requires implementation of a new standardized\nprocess for issuing identification badges that is designed to enhance security, reduce identity\nfraud, and protect the personal privacy of those issued Federal Government identification badges.\nManagement made the decision to withhold funding for these actions because a coordinated\napproach is needed to ensure that the Directive is implemented consistently throughout the IRS.\n\nReported Security Incidents Have Been Sufficiently Addressed\nIRS employees and managers are responsible for reporting individual physical security incidents\nto the IRS Computer Security Incident Response Center through the Situation Awareness and\nManagement Center, which serves as the IRS\xe2\x80\x99 central communications and monitoring facility\nand is available 24 hours a day, 7 days a week. The incidents are reviewed by PSEP office\nmanagers, who should take necessary followup actions on each incident reported. The types of\nincidents that must be reported include:\n       \xe2\x80\xa2   Bomb threats                    \xe2\x80\xa2   Terrorist/enemy attacks\n       \xe2\x80\xa2   Explosions                      \xe2\x80\xa2   Hazardous materials\n       \xe2\x80\xa2   Demonstrations                  \xe2\x80\xa2   Burglaries\n       \xe2\x80\xa2   Civil disturbances              \xe2\x80\xa2   Robberies\n       \xe2\x80\xa2   Fire                            \xe2\x80\xa2   Thefts\n       \xe2\x80\xa2   Utility disruption or failure   \xe2\x80\xa2   Destruction or loss of significant documents\n       \xe2\x80\xa2   Sabotage                        \xe2\x80\xa2   Receipt of information of terrorist activities\n       \xe2\x80\xa2   Natural disasters               \xe2\x80\xa2   Threats against or assaults upon IRS employees\n       \xe2\x80\xa2   Unusual weather conditions\nOur analysis of the incident reports for the period April 1, 2006, through March 31, 2007,\nidentified 1,136 incidents reported to the Computer Security Incident Response Center. Of these,\n879 (77 percent) were due to an act of nature or facility/equipment. Only 257 (23 percent) of the\nincidents reported would possibly require followup action and analysis by the PSEP office.\nFigure 2 presents an analysis of the types of incidents reported.\n\n\n\n\n                                                                                                Page 7\n\x0c               Actions Are Needed to Improve the Effectiveness of the Physical\n                                      Security Program\n\n\n\n                      Figure 2: Types of Incidents Reported to the\n                      Computer Security Incident Response Center\n\n                  Type of Incident Reported                     Number            Percentage\n       Act of nature                                               514                45%\n       Facility/equipment                                          365                32%\n       Suspicious package                                           84                 7%\n       Personnel/taxpayer                                           61                 5%\n       Hazardous material                                           23                 2%\n       Bomb threat                                                  19                 2%\n       Loss or theft of non-Information Technology                  19                 2%\n       property\n       Suspicious activity                                         18                  2%\n       Threats (personnel)                                         18                  2%\n       Other                                                        9                  1%\n       Threats against facilities                                   5             Less than 1%\n       Tax data/tax processing equipment                            1             Less than 1%\n       Total                                                      1,136\n       Source: Situation Awareness and Management Center report \xe2\x80\x9cPhysical Incidents by Type and\n       Location,\xe2\x80\x9d dated March 31, 2007.\n\nWe reviewed each of the 257 incidents that might require corrective actions to physical security,\nsuch as lost badges, missing or damaged equipment, or broken windows and doors. From these, we\nsampled 27 of the incidents and contacted the respective managers. We confirmed that sufficient\ncorrective actions had been taken in each case.\n\n\n\n\n                                                                                                  Page 8\n\x0c                  Actions Are Needed to Improve the Effectiveness of the Physical\n                                         Security Program\n\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has an effective program\nfor managing physical security at its facilities. To accomplish our objective, we:\nI.       Determined whether required physical security reviews were completed at IRS facilities\n         in accordance with Federal Government standards and IRS guidance.\n         A. Identified and reviewed updated policies on physical security and data protection\n            requirements and standards.\n         B. Interviewed the Program Director in the PSEP office within the Agency-Wide Shared\n            Services organization to determine the processes and standard operating procedures\n            used for managing the IRS\xe2\x80\x99 physical security program.\n         C. Reviewed IRS physical security Area Office1 records for Areas 1 and 2.\n         D. Selected a judgmental sample of 50 IRS facilities in Areas 1 and 2 from a population\n            of 680 offices, reviewed documentation of risk assessments and compliance reviews\n            conducted for the 50 facilities, and determined whether the assessments and reviews\n            were completed as required. We used a judgmental sample because we were not\n            going to project the results to the population.\nII.      Determined whether physical security incidents identified at IRS facilities had been\n         sufficiently addressed.\n         A. Identified and evaluated the efforts taken to address employee safety and physical\n            security.\n         B. Determined whether the PSEP office was effectively monitoring the IRS physical\n            security program at the national level.\n         C. Identified all physical security and employee incidents reported to the Computer\n            Security Incident Response Center by type and location for the period April 1, 2006,\n            through March 31, 2007. We identified 257 incidents that indicated corrective\n            actions were required to improve physical security and selected a judgmental sample\n            of 27 to confirm implementation of corrective actions. We used a judgmental sample\n            because we were not going to project the results to the population.\n\n\n1\n A geographic organizational level used by IRS business units and offices to help their specific types of taxpayers\nunderstand and comply with tax laws and issues.\n                                                                                                             Page 9\n\x0c              Actions Are Needed to Improve the Effectiveness of the Physical\n                                     Security Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichelle Griffin, Audit Manager\nDavid Brown, Lead Auditor\nCari Fogle, Senior Auditor\nGeorge Franklin, Senior Auditor\n\n\n\n\n                                                                                     Page 10\n\x0c              Actions Are Needed to Improve the Effectiveness of the Physical\n                                     Security Program\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nDirector, Program Oversight OS:CIO:SM:PO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Controls OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 11\n\x0c   Actions Are Needed to Improve the Effectiveness of the Physical\n                          Security Program\n\n\n\n                                                     Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 12\n\x0cActions Are Needed to Improve the Effectiveness of the Physical\n                       Security Program\n\n\n\n\n                                                         Page 13\n\x0cActions Are Needed to Improve the Effectiveness of the Physical\n                       Security Program\n\n\n\n\n                                                         Page 14\n\x0c'